cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Remote Access Users license + count

I have already used the following lines in a reply, but now decided to make it a document 😊.

The "old" RA VPN client licensing worked by counting client IPs (called "seats", CLI "dtps lic" on policy server), and the used licenses count showed the number of clients that did connect during the last 30 days. This is different with MAB licenses, they are defined as the number of concurrent clients; MAB even has five grace clients, so the maximum number of concurrent clients is the number of licenses plus five.

Still, you can use the “Client type” filter on SVMonitor>User>All users, in order to filter according the type of the connection of the users. But there is no "dtps lic" for new endpoint client, MAB has its own CLI command, see Mobile Access Administration Guide R77 Versions pp. 188:

listusers - Shows a list of end-users connected to the gateway, along with their source IP addresses.

But that is not all as we can even take a look into the kernel tables 😉:

From sk39034: How to check the number of currently connected Remote Access users and sk14496: How to check the names of remote access users that have sent traffic through the Security G...

To see the number of currently connected Remote Access users, run this command (in Expert mode) on the VPN Security Gateway:

[Expert@HostName]# fw tab -t userc_users -s

To see the username of each "connected" remote access user (in the last 15 minutes), run this command (in Expert mode) on VPN Security Gateway:

[Expert@HostName]# fw tab -t userc_rules -f

You can also run the following command on the gateway, in order to see the number of OM IPs which are currently assigned by the gateway:

# fw tab -t om_assigned_ips -s

HOST NAME ID #VALS #PEAK #SLINKS localhost om_assigned_ips 372 1 1 0

The above output (#VALS=1 ) means currently one client is assigned an OM IP. This includes SNX users with OM IPs as well, who take up from a different license (MAB). In order to find out how many there are of those and subtract them to leave only IPsec VPN clients (i.e. SecureClient, Endpoint Security VPN, Endpoint Connect), check the following table:

# fw tab -t sslt_om_ip_params -s

HOST NAME ID #VALS #PEAK #SLINKS localhost sslt_om_ip_params 372 1 1 0

2 Replies

Re: Remote Access Users license + count

Hi Gunther,

When we are runing Provider-1 with multiple CMAs, the remote access license gets placed on at MDS level.

Are there any known commands for checking the overall usage of remote access on the entire management server , or would we have to review each CMA for the max number of connections to work out if our license was sufficient.

Many thanks

Peter

0 Kudos

Re: Remote Access Users license + count

The old "dtps lic" was issued on the policy server, and the new commands are all gateway-specific - so i get information for the gateway only.